
FOREMOST 
----------------------------------------------------------------------

Foremost is a linux program to recover files based on their headers and 
footers. Foremost can work on image files, such as those generated by dd, 
Safeback, Encase, etc, or directly on a drive. The headers and footers are 
specified by a configuation file, so you can pick and choose which headers 
you want to look for.



--------------------------------------------
INSTALL FOREMOST
--------------------------------------------

To run foremost, you must:

- uncompress the archive
- compile
- install

Here's how to do it:

$ tar zxvf foremost-xx.tar.gz
$ cd foremost-xx
$ make
$ make install

On systems with older versions of glibc (earlier than 2.2.0), you will get 
some harmless warnings about ftello and fseeko not being defined. You can 
ignore these.


If you ever need to remove foremost from your system, you can do this:

$ make uninstall



--------------------------------------------
USING FOREMOST
--------------------------------------------

A description of the command line arguments can be found in the man page. 
To view it:

$ man foremost



--------------------------------------------
CONFIGURATION FILE FORMAT
--------------------------------------------

The configuration file is used to control what types of files foremost
searches for. A sample configuration file, foremost.conf, is included with
this distribution. For each file type, the configuration file describes
the file's extension, whether the header and footer are case sensitive,
the maximum file size, and the header and footer for the file. The footer
field is optional, but header, size, case sensitivity, and extension are
not!

Any line that begins with a '#' is considered a comment and ignored. Thus,
to skip a file type just put a '#' at the beginning of that line

Headers and footers are decoded before use. To specify a value in
hexidecimal use \x[0-f][0-f], and for octal use \[1-9][1-9][1-9].  Spaces
can be represented by \s. Example: "\x4F\123\I\sCCI" decodes to "OSI CCI".

To match any single character (aka a wildcard) use a '?'. If you need to
search for the '?' character, you will need to change the 'wildcard' line
*and* every occurance of the old wildcard character in the configuration
file. Don't forget those hex and octal values! '?' is equal to 0x3f and
\063.

Here's a sample set of headers and footers:

# extension  case-sens  max-size   header			footer
#
# GIF and JPG files (very common)
	gif	y	155000	\x47\x49\x46\x38\x37\x61	\x00\x3b 
  	gif	y 	155000	\x47\x49\x46\x38\x39\x61	\x00\x00\x3b
  	jpg	y	200000	\xff\xd8\xff			\xff\xd9



--------------------------------------------
BUG REPORTING
--------------------------------------------

Please report ALL bugs to jesse.kornblum@ogn.af.mil. Please include a 
description of the bug, how you found it, and your contact information.



--------------------------------------------
TESTING AND VALIDATION
--------------------------------------------

THIS PROGRAM HAS NOT BEEN TESTED OR APPROVED BY THE AIR FORCE OFFICE OF 
SPECIAL INVESTIGATIONS, THE DEFENSE COMPUTER FORENSICS LAB, OR THE UNITED 
STATES GOVERNMENT. NO WARRANTY OR GUARANTEE IS MADE REGARDING THE 
SOUNDNESS OF THIS PROGRAM.



--------------------------------------------
CREDITS AND THANKS
--------------------------------------------

Foremost was written by SA Kris Kendall and SA Jesse Kornblum of the Air 
Force Office of Special Investigations starting in March 2001. This 
program would not be what it is today without help from (in no particular 
order): Rob Meekins, Dan Kalil, and Chet Maciag. This project was inspired 
by CarvThis, written by the Defense Computer Forensic Lab in 1999. 

Foremost is (C) Copyright 2002 Air Force Office of Special Investigations 
and is licensed under the terms of the General Public License. A full copy 
of this license can be found in the file LICENSE.

